[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: New XAUTH draft
Yes, I have a comment [on ISAKMP XAUTH]. A number of the authentication
methods expressed here require the edge device to understand which
authentication method is needed in advance of receiving the 'user name' from
the remote peer.
This seems limiting to me. Since it is likely that a these 'legacy'
authentication methods are being used with RADIUS, wouldn't it be simple to
re-use EAP and EAP extensions to RADIUS?
This would allow the 'edge device' to be ignorant of the authentication
required, or the process needed to enact it. This saves complication in the
'edge' device, allows central control of authentication policy and higher
granularity on user/authentication mapping.
A quote from EAP spec:
"The PPP Extensible Authentication Protocol (EAP) is a general
protocol for PPP authentication which supports multiple
authentication mechanisms. EAP does not select a specific
authentication mechanism at Link Control Phase, but rather postpones
this until the Authentication Phase. This allows the authenticator
to request more information before determining the specific
authentication mechanism. This also permits the use of a "back-end"
server which actually implements the various mechanisms while the PPP
authenticator merely passes through the authentication exchange."
regards, Steve.
-----Original Message-----
From: Stephane Beaulieu [mailto:sbeaulieu@TimeStep.com]
Sent: Tuesday, May 18, 1999 4:34 PM
To: ipsec; ipsra; internet-drafts@ietf.org
Subject: New XAUTH draft
Greetings,
An updated revision of the Extended Authentication within
ISAKMP/Oakley draft is now available.
The URL is <ftp://206.191.59.148/draft-ietf-ipsec-isakmp-xauth-04.txt>
Comments are welcome.
Stephane Beaulieu TimeStep Corporation
sbeaulieu@timestep.com http://www.timestep.com
(613) 599-3610 x4709 Fax: (613) 599-3617
Follow-Ups: